Identity, Cloud Security

Microsoft’s blame of EU regs for the CrowdStrike outage doesn’t make sense  

Share
Microsoft blames CrowdStrike outage on EU regs

Today’s columnist, Ted Miracco of Approov, explains why Microsoft blaming EU regs for the CrowdStrike outage doesn’t add up. (Adobe Stock)

The recent CrowdStrike incident, which affected millions of Windows PCs globally, has sparked a blame game with Microsoft pointing fingers at EU regulators.

Microsoft claims that EU regulations, which encourage opening up the Windows kernel, contributed to the outage. However, this argument fails to acknowledge the broader benefits of these regulations, which promote competition and innovation in the tech industry.

A brief overview of the CrowdStrike incident

On July 19, 2024, CrowdStrike’s Falcon system, an anti-cyber attack tool, released a faulty update that caused a boot loop in millions of Windows PCs. This issue led to significant disruptions, grounding flights and impacting businesses globally. While Windows users suffered, Mac users remained unaffected, which Microsoft has used to criticize the EU's regulatory stance on software security.

However, blaming EU regulations for the CrowdStrike incident is a misdirection. The core problem was a flawed update from CrowdStrike, not the regulatory environment. Software vendors are responsible for ensuring the quality and reliability of their updates. Robust testing and quality assurance processes are critical in preventing such widespread issues. CrowdStrike’s failure to adequately test its update before deployment is the real cause of the disruption, not the EU’s push for more open and competitive markets.

The benefits of EU regulations

The EU's Digital Markets Act (DMA) aims to create a more competitive and fair digital market by preventing monopolistic practices and encouraging innovation. By opening up the Windows kernel to third-party security vendors, the DMA fosters a competitive environment where multiple vendors can offer security products. This competition drives innovation, leading to better and more diverse security products for consumers and businesses alike. The two main benefits are as follow:

  • Enhances security through diversity: Relying on a single vendor for security products, as Microsoft suggests, can create a monoculture that’s vulnerable to targeted attacks. Diversity in security solutions, enabled by open competition, reduces the risk of a single point of failure and enhances overall cybersecurity resilience.
  • Encourages innovation: When tech giants like Microsoft, Apple, and Google are challenged by innovative startups, it leads to the development of cutting-edge technologies. The competition ensures that no single company can dominate the market, which can lead to complacency and stagnation in innovation.

Matthew Prince, chief executive officer of Cloudflare, offers a compelling argument against consolidating security under a single provider. In a recent tweet, he said:

“Here’s the scary thing that’s likely to happen based on the facts of the day if we don’t pay attention. Microsoft, who competes with @CrowdStrike, will argue that they should lock all third-party security vendors out of their OS. ‘It’s the only way we can be safe,’ they’ll testify before Congress.

But lest we forget, Microsoft themselves had their own eternal screw up where they potentially let a foreign actor read every customer’s email because they failed to adequately secure their session signing keys. We still have no idea how bad the implications of #EternalBlue are.

So pick your poison. Today CrowdStrike messed up and some systems got locked out. That sucks a measurable amount. On the other hand, if Microsoft runs the app and security then they mess up and you’ll probably still be able to check your email — because their incentive is to fail open — but you’ll never know who else could too. Not to mention your docs, apps, files, and everything else. Today sucked, but better security isn’t consolidated security. It isn’t your application provider picking who your security vendor must be. It’s open competition across many providers. Because CrowdStrike had a bad day, but the solution isn’t to standardize on Microsoft.

And, if we do, then when they have a bad day it’ll make today look like a walk in the park.”

Prince's insights underscore that we should not consolidate security under a single provider. His reference to Microsoft's previous security failures, such as the mishandling of session signing keys, illustrates the risks of a monopolistic approach to security. Consolidating security under one vendor increases the risk of widespread, catastrophic failures when that vendor inevitably has a bad day.

Microsoft's offers a misleading argument that Macs remained unaffected because of Apple's tight control over its ecosystem. While Apple's closed ecosystem has its benefits, it also has significant downsides, such as reduced flexibility and higher costs for consumers. Moreover, using the CrowdStrike case to argue for closed ecosystems ignores the broader context of cybersecurity. Open ecosystems, when properly managed, are often more secure because of the collaborative and competitive environment they create. Here are two benefits:

  • Shared responsibility: Security in open ecosystems operates as a shared responsibility between the platform provider and third-party vendors. This collaborative approach can lead to more comprehensive security solutions that benefit from diverse expertise and perspectives.
  • Transparency and accountability: Open ecosystems promote transparency and accountability. When multiple vendors can access and build on a platform, it encourages that the CrowdStrike outage does not get used as a scapegoat to undermine the EU’s efforts to promote competition and innovation in the tech industry. Instead, it should serve as a reminder of the importance of robust software development and testing practices. EU regulations like the DMA are crucial for fostering a competitive market that drives innovation and enhances security. Rather than criticizing these regulations, we should embrace them to create a more resilient and dynamic digital ecosystem.

The CrowdStrike incident was disturbing, unfortunate, and damaging for those affected. However, it highlights the need for better software quality assurance rather than a rollback of progressive anti-monopolistic regulations. The EU's efforts to open up markets and encourage competition are essential for driving innovation and improving cybersecurity. It’s only through such measures that we can build a safer and more competitive digital future.

Ted Miracco, chief executive officer, Approov

Related

Legislation bolstering child online safety, privacy gets Senate OK

Integrated within KOPSA were the Children and Teens' Online Privacy Protection Act 2.0 — which sought parental approval for collecting data from children under 13, established data minimization rules, and enabled easy data deletion among youths — and the Kids' Online Safety Act, which moved to increase parental control over their children's online activity.

Text-based 2FA is overprescribed

As the medical community is grateful for antibiotics but are deeply concerned about new antibiotic-resistant bacteria, the cybersecurity community appreciates the additional security text-based 2FA brings but knows that it loses its effectives as attackers find new ways to overcome it.

HealthEquity breach impacts 4.3M individuals

Major U.S. health savings account administrator HealthEquity had information from 4.3 million individuals exfiltrated following the infiltration of an online data storage location using a compromised third-party vendor's user accounts earlier this year, reports The Register.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.